Ok sadly this means i cant validate live. So im on my old own validation. Which worked like this:
- Extension calls a api command to get a transaction token inside
onTransactionComplete - After this send the transaction data from twitch togehter with the created token to the API
- API checks if the token is valid (unique, no used, creation time < 10 minutes, same HTTP_REFERER)
- Response with the data to the extension.
Do you think this is secure enough? oh and the token can only created from the extension referer.